gozi_ifsb | d22de2ac8939c185e56867b691702abd0304adf75c2b62dbff801228bdcf0dbe | Triage

Submit
Reports

Overview

overview

Static

static

SecuriteIn...77.exe

windows7_x64

3

SecuriteIn...77.exe

windows10-2004_x64

Sharing

General

Target

SecuriteInfo.com.Variant.Tedy.123517.9877.3264
Size

1.8MB
Sample

220702-s37elagafm
MD5

212b1e774e310dbe4e92b01854f31d53
SHA1

635349bf28642a2a4b32155fe2864f6dfd51a483
SHA256

d22de2ac8939c185e56867b691702abd0304adf75c2b62dbff801228bdcf0dbe
SHA512

3c7be7251079c9610ddd5923307d4887746d6f43c8dcf81d82e2696726000cf8912be1530f1a388cd4520289bf0722dc270defbe23a631771a83befc2d9f689e

Score

10^/10

gozi_ifsb warzonerat evasion infostealer persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

SecuriteInfo.com.Variant.Tedy.123517.9877.exe

Resource

win7-20220414-en

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SecuriteInfo.com.Variant.Tedy.123517.9877.exe

Resource

win10v2004-20220414-en

warzonerat evasion infostealer persistence rat trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

warzonerat

C2

workstation2022.ddns.net:5254

Targets

- Target
  
  SecuriteInfo.com.Variant.Tedy.123517.9877.3264
- Size
  
  1.8MB
- MD5
  
  212b1e774e310dbe4e92b01854f31d53
- SHA1
  
  635349bf28642a2a4b32155fe2864f6dfd51a483
- SHA256
  
  d22de2ac8939c185e56867b691702abd0304adf75c2b62dbff801228bdcf0dbe
- SHA512
  
  3c7be7251079c9610ddd5923307d4887746d6f43c8dcf81d82e2696726000cf8912be1530f1a388cd4520289bf0722dc270defbe23a631771a83befc2d9f689e
Score

10^/10

warzonerat evasion infostealer persistence rat trojan
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Windows security bypass
  evasion trojan
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Warzone RAT Payload
  rat
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

warzoneratevasioninfostealerpersistencerattrojan

© 2018-2024

Terms | Privacy